Your message dated Wed, 27 Mar 2024 04:05:08 +0000
with message-id <e1rpkxe-004e0y...@fasolo.debian.org>
and subject line Bug#1067805: fixed in node-katex 0.16.10+~cs6.1.0-1
has caused the Debian Bug report #1067805,
regarding node-katex: CVE-2024-28243 CVE-2024-28244 CVE-2024-28245
CVE-2024-28246
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1067805: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1067805
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: node-katex
Version: 0.16.4+~cs6.1.0-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi,
The following vulnerabilities were published for node-katex.
CVE-2024-28243[0]:
| KaTeX is a JavaScript library for TeX math rendering on the web.
| KaTeX users who render untrusted mathematical expressions could
| encounter malicious input using `\edef` that causes a near-infinite
| loop, despite setting `maxExpand` to avoid such loops. This can be
| used as an availability attack, where e.g. a client rendering
| another user's KaTeX input will be unable to use the site due to
| memory overflow, tying up the main thread, or stack overflow.
| Upgrade to KaTeX v0.16.10 to remove this vulnerability.
CVE-2024-28244[1]:
| KaTeX is a JavaScript library for TeX math rendering on the web.
| KaTeX users who render untrusted mathematical expressions could
| encounter malicious input using `\def` or `\newcommand` that causes
| a near-infinite loop, despite setting `maxExpand` to avoid such
| loops. KaTeX supports an option named maxExpand which aims to
| prevent infinitely recursive macros from consuming all available
| memory and/or triggering a stack overflow error. Unfortunately,
| support for "Unicode (sub|super)script characters" allows an
| attacker to bypass this limit. Each sub/superscript group
| instantiated a separate Parser with its own limit on macro
| executions, without inheriting the current count of macro executions
| from its parent. This has been corrected in KaTeX v0.16.10.
CVE-2024-28245[2]:
| KaTeX is a JavaScript library for TeX math rendering on the web.
| KaTeX users who render untrusted mathematical expressions could
| encounter malicious input using `\includegraphics` that runs
| arbitrary JavaScript, or generate invalid HTML. Upgrade to KaTeX
| v0.16.10 to remove this vulnerability.
CVE-2024-28246[3]:
| KaTeX is a JavaScript library for TeX math rendering on the web.
| Code that uses KaTeX's `trust` option, specifically that provides a
| function to blacklist certain URL protocols, can be fooled by URLs
| in malicious inputs that use uppercase characters in the protocol.
| In particular, this can allow for malicious input to generate
| `javascript:` links in the output, even if the `trust` function
| tries to forbid this protocol via `trust: (context) =>
| context.protocol !== 'javascript'`. Upgrade to KaTeX v0.16.10 to
| remove this vulnerability.
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2024-28243
https://www.cve.org/CVERecord?id=CVE-2024-28243
https://github.com/KaTeX/KaTeX/security/advisories/GHSA-64fm-8hw2-v72w
[1] https://security-tracker.debian.org/tracker/CVE-2024-28244
https://www.cve.org/CVERecord?id=CVE-2024-28244
https://github.com/KaTeX/KaTeX/security/advisories/GHSA-cvr6-37gx-v8wc
[2] https://security-tracker.debian.org/tracker/CVE-2024-28245
https://www.cve.org/CVERecord?id=CVE-2024-28245
https://github.com/KaTeX/KaTeX/security/advisories/GHSA-f98w-7cxr-ff2h
[3] https://security-tracker.debian.org/tracker/CVE-2024-28246
https://www.cve.org/CVERecord?id=CVE-2024-28246
https://github.com/KaTeX/KaTeX/security/advisories/GHSA-3wc5-fcw2-2329
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: node-katex
Source-Version: 0.16.10+~cs6.1.0-1
Done: Yadd <y...@debian.org>
We believe that the bug you reported is fixed in the latest version of
node-katex, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1067...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Yadd <y...@debian.org> (supplier of updated node-katex package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Wed, 27 Mar 2024 07:18:56 +0400
Source: node-katex
Architecture: source
Version: 0.16.10+~cs6.1.0-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Javascript Maintainers
<pkg-javascript-de...@lists.alioth.debian.org>
Changed-By: Yadd <y...@debian.org>
Closes: 1067805
Changes:
node-katex (0.16.10+~cs6.1.0-1) unstable; urgency=medium
.
* Team upload
* Update standards version to 4.6.2, no changes needed.
* Drop .yarn from import
* New upstream version (Closes: #1067805, CVE-2024-28243, CVE-2024-28244,
CVE-2024-28245, CVE-2024-28246)
* Refresh patches
* Fix babel-plugin-preval version
Checksums-Sha1:
a21598bf00e514b6e2577ccea7759fb1676fbe6d 3485 node-katex_0.16.10+~cs6.1.0-1.dsc
d94d23ed0c3f11b43ff4b335045971fcf72b465c 20596
node-katex_0.16.10+~cs6.1.0.orig-babel-plugin-preval.tar.xz
fc8631bcd90c78f19f21c23652b9f1ff56007cea 1900
node-katex_0.16.10+~cs6.1.0.orig-babel-plugin-version-inline.tar.xz
5556fd6a794cef4bb21a9537b262d4072f39aca6 12507068
node-katex_0.16.10+~cs6.1.0.orig.tar.xz
2ac03cca3aeda06ba516d90b94cb8b73661dbae9 37168
node-katex_0.16.10+~cs6.1.0-1.debian.tar.xz
Checksums-Sha256:
d60489e99e50abdf7185a2fd255dda746423468997db0c5c7dc8ac295da507b2 3485
node-katex_0.16.10+~cs6.1.0-1.dsc
c513cc8ae13b512154a5e49a72666db9f208653c435d10988598a5ec0cb64c6c 20596
node-katex_0.16.10+~cs6.1.0.orig-babel-plugin-preval.tar.xz
4316bc92abdaa0e055cc1686da853a8e8762fba5925d028d6b51466ec27dad23 1900
node-katex_0.16.10+~cs6.1.0.orig-babel-plugin-version-inline.tar.xz
53f0b0ec87044dc50ce3470ea166dadf84473c75f0fb8a3a01b20ceb69c93888 12507068
node-katex_0.16.10+~cs6.1.0.orig.tar.xz
d87bf350c6630de2d822d33933de90e0b782072ec1bd92883075443768a1078b 37168
node-katex_0.16.10+~cs6.1.0-1.debian.tar.xz
Files:
b3818335898f1dced954d3424e51ad7f 3485 javascript optional
node-katex_0.16.10+~cs6.1.0-1.dsc
5ed9ac69c972121ee5b6ef4b2d74bb40 20596 javascript optional
node-katex_0.16.10+~cs6.1.0.orig-babel-plugin-preval.tar.xz
2496ed1fcf1d2960e5a498fb823a48f0 1900 javascript optional
node-katex_0.16.10+~cs6.1.0.orig-babel-plugin-version-inline.tar.xz
3fb33b6e39b805b49cd5df8c84cbfd6a 12507068 javascript optional
node-katex_0.16.10+~cs6.1.0.orig.tar.xz
77cb64c785b364c4d1e40e9388ec4a36 37168 javascript optional
node-katex_0.16.10+~cs6.1.0-1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEAN/li4tVV3nRAF7J9tdMp8mZ7ukFAmYDlz4ACgkQ9tdMp8mZ
7ukdEw//artJSxud8h4ip1Uy0r3ghI9RTTQiwNVjNolzT5H0mbwplOjxr33Texf3
QWvHCTyZyH0+BaB0cCMHpNWrsUIfeXitTvhSllSO0KIT3Ga0kjw6egzVAvXRua7i
d2i+3L1r9F7sIXW0eqK42P1k9kIzNzB8gZ0dz6NQovr+azjf9BWQFxgK8WRu5zUn
me13mDrQLkzrkcT6aJMZ0viCw08SlMBkF+wbUGu+vAbhR0C97nM7iY/Cl/17+TF1
2cr/MVvuky6If8CRaKUAxPc27G0ZEtCiOt12yr9XHpnpw45YvNVorlkn9urVez0Q
OgwN70M848ZjEl+Gtu3EWNPuZnVCuqrziWCgS2ab0y4EaV142YEZVSFIwauBJuZO
Q9pwhVw3gjsHbKVU4XSfVuyA9avxtjaoIZcD13Q/xGDIdPXUIwPt48ujjcc7LpW6
fJE0tsn7ChdupSoVTe8XBPImDZhKGgoUFx96pOcdbB/5lm3+8Sm1LPjKFKIDvxYw
+xRCCNSZK3Pfl4ZLbiGN2FCjiV8bRmAkKE6tiOqaB5uUfhOg73hhQlsUY25NdlWQ
6o3DzmniMKcYVdh9rAMiJStyHwtYpCHi1+/3Dny9zIy4eHg64dYZtJvhqMSM6Srx
6mAh45VvwB+i+RKtfZ3ju9M/2XbAVz4JGUPEGTYOZvB+bBQKX18=
=rsRy
-----END PGP SIGNATURE-----
pgpnup2MCuWyL.pgp
Description: PGP signature
--- End Message ---
--
Pkg-javascript-devel mailing list
Pkg-javascript-devel@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
